Most Purple Team exercises happen in the shadows. Red attacks, and Blue defends. But rarely do they sit at the same table, sharing everything in real time. What if they did?
In previous Dispatch posts, we’ve explored why testing your security defenses is essential. This time, we’ll explore a more collaborative approach: fully transparent Purple Teaming, where your red and blue teams coordinate every stage of an engagement together.
Much like threat hunting, this approach prioritizes knowledge. The goal isn’t just running attacks or testing detections but creating space for defenders and attackers to learn and share insights, refine tradecraft, and sharpen detection and response skills in real time.
Giving Kudos Where Kudos is Due
Scythe’s Purple Team Exercise Framework (PTEF) inspired many of the following ideas. It’s a fantastic resource and a great starting point if you’re looking to level up your Purple Teaming.
I’ve taken these concepts and expanded on them with my own experiences. Adding workflow tweaks and ways to make fully transparent Purple Teaming a consistent part of your security program.
What is Fully Transparent Purple Teaming?
Unlike the blind Purple Team exercises John previously described, fully transparent Purple Team exercises are built on complete openness from the start. Red Teams, Blue Teams, and any key stakeholders (more on that later) collaborate openly and continuously, sharing insights through the engagement. This means zero secrets, every move is shared, and every detection effort is observed in real-time.
Benefits
Collaboration between your typically siloed Red and Blue teams. Purple creates a rare opportunity for cross-team collaboration. This helps bridge gaps, build empathy, and make everyone better.
Test your defenses. Validate that detections trigger as expected, response processes function, and the team can spot and react to attackers in your environment.
Intelligence-Driven Engagements
Similar to threat hunting, these types of engagements should be driven by threat intelligence. Think of threat intelligence that is specifically targeted toward your organization. This can be as simple as looking up OSINT or using The DFIR Report’s articles as guides. If you have threat intelligence analysts, have them write up a report detailing intel that can be used based on the engagement scope. You can also use ideas from previous Red Team exercises or even incidents reported by the Blue Team.
Roles
A successful, fully transparent Purple Team engagement relies on clearly defined roles that help participants know their responsibilities and expectations. The Red Team is responsible for creating the adversary emulation plan and emulating the adversary behaviors, not just executing attacks but explaining their methods in detail. The Blue Team (SOC analysts, threat hunters, detection engineers, incident responders, and threat intelligence analysts) actively engage during each scenario to observe, detect, and refine defenses. Meanwhile, the Threat Intelligence (TI) team anchors the exercise, curating threat-informed scenarios based on adversary TTPs most likely affecting your organization.
But wait, how do you ensure things run smoothly? A dedicated Exercise Coordinator keeps the engagement on track, ensuring information flows freely, facilitating discussion points, and making sure nothing gets missed. This can be a representative from any of the involved teams! This role often gets skipped over, but it’s critical for success and a great opportunity for someone to get some leadership experience!
But wait (yes again–last time I promise), what about other stakeholders? Say part of your engagement is testing against your Jira instance. You should probably involve your tool owners or at least inform them ahead of time if you are going to dump all the data from their tool!
Make sure all your roles are clearly defined and expectations are set. That way, when you get to the exercise, there is no overlapping of work, and every participant has their focus.
See the diagram below from Scythe to help you determine who needs to be involved and why:
Transparent Purple Team Workflow
This is a four phase approach, starting with…planning and feeding back into…planning! Each engagement should build on the last and learn from each other. Think knowledge! This is key to building your program. Check out the diagram below from Scythe and be ready to dive into the four phases of the transparent Purple Team lifecycle.
Planning
Threat Intelligence kicks off the engagement by identifying realistic adversary tactics, techniques, and procedures (TTPs). These could range from a full attack chain to a narrow set of techniques. Start small and scale based on your organization’s appetite for risk and time commitment. The entire team (Red, Blue) align early by defining objectives, success metrics, and scope. Expect planning to take anywhere from a few days to a couple of weeks, depending on the complexity and stakeholders involved.
Threat Intelligence
Threat Intelligence should guide the engagements from start to finish. Once the scope is identified, intel can produce a focused report outlining the specific TTPs and why they matter to the organization. The Red Team partners closely with Intel to build an adversary emulation plan that aligns with real-world threats, ensuring the test is relevant, credible, and valuable. Intel should be involved throughout the exercise.
Exercise Execution
The exercise runs as a collaborative event, ideally a week-long engagement to allow time for thoughtful execution and knowledge sharing. Execution involves taking your adversary emulation plan and running through it procedure by procedure as a group. This can be an in-person or virtual event, but we want to ensure that we are sharing and being transparent. The Red Team demonstrates a TTP in real time, while the Blue Team actively observes, investigates, and shares findings as they unfold. This turns the engagements into a learning environment where defenders and attackers are working together.
Lessons Learned
After each scenario, teams immediately discuss what worked and what didn’t. Where did we detect, miss, or need to improve? Can’t implement immediately? Create action items or tickets to hold everyone accountable.
How is success measured? If it isn’t measured, it didn’t happen. Metrics like Mean Time to Detect (MTTD) or “number of Blue Team tears shed” are fair game.
Now, to really prove the value of Purple Teaming, you need to share your findings. A report is a great place to start. This report shouldn't be all on one person; all participants involved should add content. The Exercise Coordinator can lead this work, but it should be a collective effort that covers the engagement, including the findings. Remember, we want to ensure we are showing the benefits of Purple Teaming so we can keep doing it!
Finally, schedule a readout for leadership. This is your chance to highlight the impact of the engagement! Take advantage of this time and what you learned, what you improved, and what’s next for Purple Team. This connects your work back to business risk, showing the value of all your efforts.
Other Engagement Types
Outside of a full-fledged engagement, there are other options you should consider.
Re-Runs
Have you had an exercise that your defenses may not have done so well in? Let’s retest them after we’ve done some hard work implementing detections and other mitigations.
Ad-hoc
Do you have an idea that you want to run quickly? Say it takes 4-8 hours, and you need some resources from both the Red and Blue teams. Let’s run a very narrowly scoped ad-hoc Purple Team engagement, where we are still documenting everything and collaborating without the overhead of a full engagement.
Wrapping It Up
Full transparent Purple Teaming isn’t your typical war games; it’s where your teams really LEARN. Red and Blue sharpen their skills together, and everyone walks away smarter (hopefully).
It’s collaborative, and it's how your teams grow and get better. Test, learn, repeat. Practice makes perfect when the real threat actors are attacking your environment.
Happy purple teaming! (Oh yeah, and happy thrunting of course)
Call to Action
If you caught John’s post on blind Purple Teaming, you know there’s a time and place for keeping things stealthy. But when it comes to building skills and breaking down silos, fully transparent Purple Teaming hits different.
We’d love to hear how your team approaches these exercises. Have you tried running one transparently? What worked? What didn’t?
Drop your thoughts in the comments, or tell us what you want us to dig into next!